mizzao / meteor-sharejs

Meteor smart package for transparently adding ShareJS editors to an app
MIT License
225 stars 53 forks source link

meteor 0.6.6 browser-policy activation affects sharejs #2

Closed geekyme closed 10 years ago

geekyme commented 11 years ago

Hi again, i'm using browser-policy to improve security against XSS. This is what appears in my client console when i loaded my meteor app with sharejs activated.


Refused to load the script 'http://ajaxorg.github.com/ace/build/src/ace.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
There are 0posts main.js?44864693a7c5e6807c732a29a1a625e0cdc22740:12
Refused to load the script 'http://ajaxorg.github.com/ace/build/src/ace.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
Uncaught ReferenceError: ace is not defined 

mizzao commented 11 years ago

I'm planning to integrate the download and serving of ace.js as part of the build process as mentioned in #3. Hopefully this will solve both these issues.

mizzao commented 10 years ago

In commit 85760c5cb537f69a6306fded10f4e8817b884fc4, I switched to having the server download the ace.js library and serve it as a Meteor asset. It's probably a little brittle right now, but tested to be working, and should improve as we iron out the kinks.